====================================================================== DEVWERKS SECURITY ADVISORY www.devwerks.net ====================================================================== devWerks Advisory ID: DW-2016-006 Application: Open Upload <= 0.4.2 Vendor: The Open Upload Project Subject: Cross-site Scripting - XSS Author: Johannes Schroeter (j.schroeter@devwerks.net) Date: 2016-10-09 ====================================================================== Overview: Open Upload has been designed to be extendable These are the main features: Access control by groups Template Driven Internationalization Vast Database Support (MySQL, Postgress, Flat file) Multiple user authentication backends (database, LDAP, AD) Plugins to control file upload/download limits / functionality (password protection, captcha, email, banned IP,...) devWerks discovered a security flaw in the Open Upload web application, which allows execution of malicious code. ====================================================================== Details: This particular vulnerability existed within the applications Upload function and was due to improper input sanitization of the filename for a file being uploaded. For example, javascript could be added to the filename and because of a lack of input sanitization/validation, the javascript contained within the filename would execute within the context of the Open Upload web application. ====================================================================== Timeline: 2016-06-01: Vendor notified 2016-06-03: Vendor response 2016-06-03: Vulnerability details sent to vendor 2016-06-04: Vendor response - No fix 2016-10-09: Public release of this advisory ====================================================================== Recommendation: It is recommended to not use or install Open Upload. Contact us for patch. ====================================================================== References: http://openupload.sourceforge.net/ http://devwerks.net https://sourceforge.net/p/openupload/mailman/openupload-devel/